Fortinet white logo
Fortinet white logo

Administration Guide

Configuring the network settings

Configuring the network settings

When shipped, each of the FortiWeb appliance’s physical network adapter ports (or, for FortiWeb-VM, vNICs) has a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them.

Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask
port1 192.168.1.99/24 ::/0
port2 0.0.0.0/0 ::/0
port3 0.0.0.0/0 ::/0
port4 0.0.0.0/0 ::/0
* The number of network interfaces varies by model.

You also must configure FortiWeb with the IP address of your DNS servers and gateway router.

You can use either the web UI or the CLI to configure these basic network settings.

If you are installing a FortiWeb-VM virtual appliance, and you followed the instructions in the FortiWeb-VM Install Guide (http://docs.fortinet.com/fortiweb/hardware), you have already configured some of the settings for port1. To fully configure all of the network interfaces, you must complete this chapter.

To configure a network interface or bridge

To connect to the CLI and web UI, you must assign at least one FortiWeb network interface (usually port1) with an IP address and netmask so that it can receive your connections. Depending on your network, you usually must configure others so that FortiWeb can connect to the Internet and to the web servers it protects.

How should you configure the other network interfaces? Should you add more? Should each have an IP address? That varies. In some cases, you may not want to assign IP addresses to the other network interfaces.

Initially, each physical network port (or, on FortiWeb-VM, a vNIC) has only one network interface that directly corresponds to it — that is, a “physical network interface.” Multiple network interfaces (“subinterfaces” or “virtual interfaces”) can be associated with a single physical port, and vice versa (“redundant interfaces”/”NIC teaming”/”NIC bonding” or “aggregated links”). These can provide features such as link failure resilience or multi-network links.

FortiWeb does not currently support IPSec VPN, so the virtual interfaces for IPSec VPN are not supported. If you require these features, implement them separately on your FortiGate, VPN appliance, or firewall.

Usually, each network interface has at least one IP address and netmask. However, this is not true for bridges.

Bridges (V-zones) allow packets to travel between the FortiWeb appliance’s physical network ports over a physical layer link, without an IP layer connection with those ports.

Use bridges when:

  • The FortiWeb appliance operates in True Transparent Proxy or Transparent Inspection mode, and
  • You want to deploy FortiWeb between incoming connections and the web server it is protecting, without changing your IP address scheme or performing routing or network address translation (NAT)

For bridges, do not assign IP addresses to the ports that you will connect to either the web server or to the overall network. Instead, group the two physical network ports by adding their associated network interfaces to a bridge.

Configure each network interface that will connect to your network or computer (see Configuring the network interfaces or Configuring a bridge (V-zone)). If you want multiple networks to use the same wire while minimizing the scope of broadcasts, configure VLANs (see Adding VLAN subinterfaces).

See also

Configuring the network interfaces

You can configure network interfaces either via the web UI or the CLI. If your network uses VLANs, you can also configure VLAN subinterfaces. For details, see Adding VLAN subinterfaces.

If the FortiWeb appliance is operating in True Transparent Proxy or Transparent Inspection mode and you will configure a V-zone (bridge), do not configure any physical network interfaces other than port1. Configured NICs cannot be added to a bridge. For details, see Configuring a bridge (V-zone).

If this FortiWeb will belong to a FortiWeb HA cluster, do not configure any network interface that will be used as an HA heartbeat and synchronization link. If you are re-cabling your network and must configure it, connect and switch to the new HA link first. Failure to do so could cause unintentional downtime, failover, and ignored IP address configuration. To switch the HA link, see FortiWeb high availability (HA) .

To customize the network interface information that FortiWeb displays when you go to System > Network > Interface, right-click the heading row. Select and clear the columns you want to display or hide, and then click Apply.

To configure a network interface’s IP address via the web UI
  1. Go to System > Network > Interface.

  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

    If the network interface’s Status column is Bring Up, its administrative status is currently “down” and it will not receive or emit packets, even if you otherwise configure it. To bring up the network interface, click the Bring Up link.

    This Status column is not the detected physical link status; it is the administrative status that indicates whether you permit network interface to receive and/or transmit packets.

    For example, if the cable is physically unplugged, diagnose hardware nic list port1 or Operation widget may indicate that the link is down, even though you have administratively enabled it by clicking Bring Up.

    By definition, HA heartbeat and synchronization links should always be “up.” Therefore, if you have configured FortiWeb to use a network interface for HA, its Status column will always display HA Member.

  3. Double-click the row of the network interface that you want to modify.
  4. The Edit Interface dialog appears. Name displays the name and media access control (MAC) address of this network interface. The network interface is directly associated with one physical link as indicated by its name, such as port2.

    In HA, it may use a virtual MAC instead. For details, see HA heartbeat and FortiWeb high availability (HA) .

  5. Configure these settings:
  6. Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this network interface manually or using DHCP.
    IP/Netmask

    Type the IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24 for an IPv4 address or 2001:0db8:85a3:::8a2e:0370:7334/64 for an IPv6 address.

    The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

    In Active-Passive and Standard Active-Active HA modes, the IPv6 DAD feature is by default disabled, which means FortiWeb won't know whether the IPv6 address of its network interface is conflicted with other devices connected with it. You can run the following command on the master node to enable this feature:

    config system global

    set ipv6-dad-ha enable

    end

    The IP address conflict detection is a one-time action executed only when you configure the IPv6 address of the network interface. It will not be performed again upon reboot or failover even if there are conflicted IP addresses.

    Administrative Access Enable the types of administrative access that you want to permit to this interface.

    These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

    Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
    HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
    PING Enable to allow:
    • ICMP type 8 (ECHO_REQUEST)
    • UDP ports 33434 to 33534

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).

    Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

    It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

    For the management port, when PING is enabled, to allow execute ping for the management port, you need to configure the Firewall rule.
    HTTP Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.
    SSH Enable to allow SSH connections to the CLI through this network interface.
    SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.

    FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    WCCP Protocol Select if the interface is used to communicate with a FortiGate unit configured as a WCCP server.

    Available only when the operation mode is WCCP.

    For details, see Setting the operation mode and Configuring FortiWeb to receive traffic via WCCP.
    Description Type a comment. The maximum length is 63 characters.

    Optional.
  7. Click OK.
  8. If you were connected to the web UI through this network interface, you are now disconnected from it.

  9. To access the web UI again, in your web browser, modify the URL t to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to: https://10.10.10.5

If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

To configure a network interface’s IPv4 address via the CLI

Enter the following commands:

config system interface

edit <interface_name>

set mode {manual|dhcp}

set ip <address_ipv4mask> <netmask_ipv4mask>

set allowaccess {http https ping snmp ssh telnet}

end

where:

  • <interface_name> is the name of a network interface
  • {manual|dhcp} specifies how the network interface is addressed.
  • <address_ipv4> is the IP address assigned to the network interface
  • <netmask_ipv4mask> is its netmask in dotted decimal format
  • {http https ping snmp ssh telnet} is a space-delimited list of zero or more administrative protocols that you want to allow to access the FortiWeb appliance through the network interface
HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb appliance.

If you were connected to the CLI through this network interface, you are now disconnected from it.

To access the CLI again, in your terminal client, modify the address to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would connect to that IP address.

If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

Adding VLAN subinterfaces

You can add a virtual local area network (VLAN) subinterface to a network interface or bridge on the FortiWeb appliance, up to a maximum of 512 VLAN in total.

Similar to a local area network (LAN), use a IEEE 802.1q (http://www.ieee802.org/1/pages/802.1Q.html) VLAN to reduce the size of a broadcast domain and thereby reduce the amount of broadcast traffic received by network hosts, improving network performance.

In True Transparent Proxy mode, to expand the VLAN space, Q-in-Q is introduced for FortiWeb to stack 802.1Q and 802.1ad (http://www.ieee802.org/1/pages/802.1Q.html) headers in the Ethernet frame, so that multiple VLANs are reused in a core VLAN. The 802.1Q VLAN (Ethernet Type = 0x8100) can be packed into the 802.1ad VLAN (Ethernet Type = 0x88A8). If you create a 802.1ad VLAN per a physical interface, then you can create a 802.1Q VLAN per 802.1ad VLAN. Packets will be tagged by two VLANs.

VLANs are not designed to be a security measure, and should not be used where untrusted devices and/or individuals outside of your organization have access to the equipment. VLAN tags are not authenticated, and can be ignored or modified by attackers. VLAN tags rely on the voluntary compliance of the receiving host or switch.

Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches, such as FortiWeb appliances, restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.

The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically by FortiWeb appliances, and does not require that you adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network.

Cisco Discovery Protocol (CDP) is supported for VLANs, including when FortiWeb is operating in either of the transparent modes.

If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E), you cannot use VLAN subinterfaces as a data capture port for Offline Protection mode. For these models, remove any VLAN configuration on an interface before you use it for data capture. These models fully support the capture and transmission of VLAN traffic.

To configure a VLAN subinterface
  1. Go to System > Network > Interface.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:
  4. Name Type the name (for example, vlan100) of this VLAN subinterface that can be referenced by other parts of the configuration. The maximum length is 15 characters.

    Tip: The name cannot be changed once you save the entry. For a workaround, see Renaming entries.
    Type Select VLAN.
    Interface Select the name of the physical network port with which the VLAN subinterface will be associated.
    VLAN ID

    Type the VLAN ID , such as 100, of packets that belong to this VLAN subinterface.

    • If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
    • If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

    The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

    For the maximum number of interfaces for your FortiWeb model, including VLAN subinterfaces, see Appendix B: Maximum configuration values.

    VLAN Protocol Select a VLAN type 802.1Q or 802.1ad.
    Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this VLAN using DHCP.
    IP/Netmask Type the IP address/subnet mask associated with the VLAN, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.
    Administrative Access Enable the types of administrative access that you want to permit to this interface.

    These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

    Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
    HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
    PING Enable to allow:
    • ICMP type 8 (ECHO_REQUEST)
    • UDP ports 33434 to 33534

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

    Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

    It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

    HTTP

    Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

    SSH Enable to allow SSH connections to the CLI through this network interface.
    SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
    FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    WCCP Protocol Select if the interface is used to communicate with a FortiGate unit configured as a WCCP server.

    Available only when the operation mode is WCCP.

    For details, see Setting the operation mode and Configuring FortiWeb to receive traffic via WCCP.
  5. Click OK.
  6. Your new VLAN is initially hidden in the list of network interfaces.

    To expand the network interface listing in order to view all of a port’s associated VLANs, click the + (plus sign) beside the name of the port.

    See also

Configuring a bridge (V-zone)

You can configure a bridge either via the web UI or the CLI.

Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly connecting to one of its IP addresses. Due to this nature, bridges are configured only when FortiWeb is operating in either True Transparent Proxy or Transparent Inspection mode.

Bridges on the FortiWeb appliance support IEEE 802.1d (https://1.ieee802.org) spanning tree protocol (STP) by forwarding bridge protocol data unit (BPDU) packets, but do not generate BPDU packets of their own. Therefore, in some cases, you might need to manually test the bridged network for Layer 2 loops. Also, you may prefer to manually design a tree that uses the minimum cost path to the root switch for design and performance reasons.

True bridges typically have no IP address of their own. They use only media access control (MAC) addresses to describe the location of physical ports within the scope of their network and do network switching at Layer 2 of the OSI model.

You can configure FortiWeb to monitor the members of bridge. When monitoring is enabled, if a network interface that belongs to the bridge goes down, FortiWeb automatically brings down the other members.

Using network interface MAC addresses in True Transparent Proxy mode

When the operation mode is True Transparent Proxy, by default, traffic that travels through a bridge to the back-end servers preserves the MAC address of the source.

If you are using FortiWeb with front-end load balancers that are in a high availability cluster that connects via multiple bridges, this mechanism can cause switching problems on failover.

To avoid this problem, the config system v-zone command allows you to configure FortiWeb to use the MAC address of the FortiWeb network interface instead. The option is not available in the web UI. For details, see the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

To configure a bridge via the web UI
  1. If you have installed a physical FortiWeb appliance, plug in network cables to connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
  2. Because port1 is reserved for connections with your management computer, for physical appliances, this means that you must plug cables into at least 3 physical ports:

  • port1 to your management computer
  • one port to your web servers
  • one port to the Internet or your internal network
  • If you have installed a virtual FortiWeb appliance (FortiWeb-VM), the number and topology of connections of your physical ports depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
  • http://docs.fortinet.com/fortiweb/hardware

    To use fail-to-wire, the bridge must be comprised of the ports that have hardware support for fail-to-wire. For example, on FortiWeb 1000C, this is port3 and port4. See Fail-to-wire for power loss/reboots and the QuickStart Guide for your model.

    If you have installed FortiWeb-VM, configure the virtual switch (vSwitch). For details, see the FortiWeb-VM Install Guide:

    http://docs.fortinet.com/fortiweb/hardware

  • Go to System > Network > V-zone.
  • This option is not displayed if the current operating mode does not support bridges.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

  • Click Create New.
  • Configure these settings:

  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 15 characters. The name cannot be changed once you save the entry. For details, see Renaming entries.
    Interface name

    Display a list of network interfaces that you can add to a bridge.

    Only interfaces that currently have no IP address and are not members of another bridge are displayed.

    To add one or more network interfaces to the bridge, select their names, then click the right arrow.

    Since FortiWeb 6.1 release, vlan subinterfaces including 802.1Q, 802.1ad and physical interfaces can be configured in one V-zone.

    Note: Only network interfaces with no IP address can belong to a bridge. port1 is reserved for your management computer, and cannot be bridged. To remove any other network interface’s IP address so that it can be included in the bridge, set its IP/Netmask to 0.0.0.0/0.0.0.0.

    Member Displays a list of network interfaces that belong to this bridge.

    To remove a network interface from the bridge, select its name, then click the left arrow.

    Tip: If you will be configuring bypass/fail-to-wire, the pair of bridge ports that you select should be ones that are wired together to support it. For details, see Fail-to-wire for power loss/reboots.
  • Click OK.
  • The bridge appears in System > Network > V-zone.

  • To configure FortiWeb to automatically bring down all members of this v-zone when one member goes down, select Member Monitor.
  • To use the bridge, select it in a policy (see Configuring an HTTP server policy).
  • To configure a bridge in the CLI
    1. If you have installed a physical FortiWeb appliance, connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
    2. Because port1 is reserved for connections with your management computer, for physical appliances, this means that you must connect at least 3 ports:

    • port1 to your management computer
    • one port to your web servers
    • one port to the Internet or your internal network
  • If you have installed a virtual FortiWeb appliance, the number and topology of connections of your physical ports depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
  • http://docs.fortinet.com/fortiweb/hardware

    If you have installed FortiWeb as a virtual appliance (FortiWeb-VM), configure the virtual switch. For details, see the FortiWeb-VM Install Guide:

    http://docs.fortinet.com/fortiweb/hardware

  • Enter the following commands:
  • config system v-zone

    edit <v-zone_name>

    set interfaces {<port_name> ...}

    set monitor {enable | disable}

    end

    where:

    • <v-zone_name> is the name of the bridge
    • {<port_name> ...} is a space-delimited list of one or more network ports that will be members of this bridge. Eligible network ports must not yet belong to a bridge, and have no assigned IP address. For a list of eligible ports, enter:

      set interfaces ?

    • set monitor {enable | disable} is an optional setting that specifies whether FortiWeb automatically brings down all members of this v-zone when one member goes down.
  • To use the bridge, select it in a policy. For details, see Configuring an HTTP server policy.
  • See also

    Configuring virtual IP

    The virtual IP addresses are the IP addresses that paired with the domain name of your application. When users visit your application, the destination of their requests are these IP addresses.

    You can later attach one or more virtual IP addresses to a virtual server, and then reference the virtual server in a server policy. The web protection profile in the server policy will be applied to all the virtual IPs attached to this virtual server.

    To configure a virtual IP
    1. Go to System > Network > Virtual IP.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

      IPv4 Address

      IPv6 Address

      Enter the IP address and subnet of the virtual IP.

      If the FortiWeb appliance is operating in Offline Protection mode or either of the transparent modes, because FortiWeb ignores this IP address when it determines whether or not to apply a server policy to the connection, you can specify any IP address except the address of the web server.

      The virtual IP address cannot be the same with the IP address of any one of the interfaces.

      Interface

      Select the network interface or bridge the virtual IP is bound to and where traffic destined for the virtual IP arrives.

      To configure an interface or bridge, see To configure a network interface or bridge.

    Link aggregation

    You can configure a network interface that is the bundle of several physical links via either the web UI or the CLI.

    The Link Aggregation Control Protocol (LACP) is currently supported only when FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported in FortiWeb-VM.

    Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiWeb would normally do with a single network interface for each physical port). This multiplies the bandwidth that is available to the network interface, and therefore is useful if FortiWeb will be inline with your network backbone.

    Link aggregation on FortiWeb complies with IEEE 802.3ad (http://grouper.ieee.org/groups/802/3/ad/index.html) and distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregate fails, traffic is redistributed automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or multicast traffic is received on a port in the aggregate interface, reverse traffic will return on the same port.

    When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that comprise an HTTP request can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this (especially TCP, which may decrease network performance by requesting retransmission when the expected segment does not arrive), FortiWeb’s frame distribution algorithm is configurable.

    For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring FortiWeb to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP connection (Layer 4), not simply the MAC address (Layer 2).

    You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device at the other end of FortiWeb’s network cables to match, with identical:

    • Link speed
    • duplex/simplex setting
    • ports that can be aggregated

    This will allow the two devices to use the cables between those ports to form a trunk, not an accidental Layer 2 (link) network loop. FortiWeb will use LACP to:

    • detect suitable links between itself and the other device, and form a single logical link
    • detect individual port failure so that the aggregate can redistribute queuing to avoid a failed port
    To configure a link aggregate interface
    1. Go to System > Network > Interface.
    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:
    5. Name Type the name (such as agg) of this logical interface that can be referenced by other parts of the configuration. The maximum length is 15 characters.

      Tip: The name cannot be changed once you save the entry. For a workaround, see Renaming entries.
      Type Select 802.3ad Aggregate.
      Lacp-rate Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:

      • SLOW—Every 30 seconds.
      • FAST—Every 1 second.

      Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk.
      Algorithm Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.

      • layer2—Consider only the MAC address. This results in the most even distribution of frames, but may be disruptive to TCP if packets frequently arrive out of order.
      • layer2_3—Consider both the MAC address and IP session. Queue frames involving the same session to the same port. This results in slightly less even distribution, and still does not guarantee perfectly ordered TCP sessions, but does result in less jitter within the session.
      • layer3_4—Consider both the IP session and TCP connection. Queue frames involving the same session and connection to the same port. Distribution is not even, but this does prevent TCP retransmissions associated with link aggregation.
      Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this aggregate using DHCP.
      IP/Netmask

      Type the IP address/subnet mask associated with the aggregate. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

      Administrative Access Enable the types of administrative access that you want to permit to the selected interfaces.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
      HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING

      Enable to allow:

      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      HTTP

      Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

      The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    6. Click OK.

    Your new aggregate appears in the list of network interfaces.

    To configure an IPv4link aggregate via the CLI

    Enter the following commands:

    config system interface

    edit "aggregate"

    set type agg

    set status up

    set intf <port_name> <port_name>

    set algorithm {layer2 | layer2_3 | layer3_4}

    set lacp-speed {fast | slow}

    set mode {manual | dhcp}

    set ip <address_ipv4> <netmask_ipv4mask>

    next

    end

    where:

    • <port_name> is the name of a physical network interface, such as port3
    • <address_ipv4> is the IP address assigned to the network interface
    • <netmask_ipv4mask> is its netmask in dotted decimal format
    • {manual | dhcp} specifies how the network interface is addressed.
    • {layer2 | layer2_3 | layer3_4} is a choice between the connectivity layers that will be considered when distributing frames among the aggregated physical ports.
    • {fast | slow} is a choice of the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables; this must match the LACP peer
    See also

    Configuring redundant interfaces

    You can combine two or more interfaces in a redundant configuration to ensure connectivity in the event that one physical interface or the equipment connected to that interface fails. Network traffic goes through only one interface at any time, and the other interfaces act as backups in the event an interface fails. Redundant interfaces create redundant connections between a FortiWeb configuration and the network, removing a potential single point of failure and further increasing network reliability and connectivity.

    When used in certain network configurations, such as a High Availability (HA) Active-Passive (AP) configuration, you can create a fully meshed HA configuration that eliminates potential single points of failure. By default, HA configurations connect to the network using a single switch, and this single piece of equipment remains a potential single point of failure. When you configure redundant interfaces in an HA configuration, you eliminate the remaining potential single point of failure between your FortiWeb configuration and the network.

    An interface can be used in a redundant interface configuration if it:

    • Is a physical interface and not a VLAN interface
    • Does not have any VLAN subinterfaces
    • Is not referenced in any V-zone interfaces
    • Is not already part of an aggregated or redundant interface configuration
    • Has no defined IP address (Manual or DHCP)
    • Is not used in a server policy or virtual server configuration
    • Is not used by a static route or policy route
    • Is not monitored by an HA configuration
    • Is not referenced in an HA Reserved Management Interface
    • Is not referenced in an HA Heartbeat Interface

    Interfaces in a redundant interface configuration are not listed in System > Network > Interface. You cannot further configure or select redundant interfaces in other parts of the configuration.

    To configure redundant interfaces via the web UI
    1. Go to System > Network > Interface.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Enter a Name for the interface.
    4. For Type, select Redundant Interface.
    5. Select ports that you want to use in the configuration from the list of Available Interfaces and use the (arrow) icon to move them to the Selected Interfaces list.
    6. For Addressing mode:
    7. Select Manual to enter an IPv4 address. If you select Manual, also configure the IPv4/Netmask option. Type the IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24.

      Select DHCP so that FortiWeb will acquire an IPv4 address using DHCP.

    8. Optionally, for IPv6 Addressing mode:
    9. Select Manual to enter an IPv6 address. If you select Manual, also configure the IPv6/Netmask option.

      Select DHCP so that FortiWeb will acquire an IPv6 address using DHCP.

    10. For Administrative Access, select the types of administrative access that you want to permit to the selected interfaces.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
    11. HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING

      Enable to allow:

      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      HTTP

      Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings. The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    12. Click OK.
    To configure redundant interfaces via the CLI

    Enter the following commands:

    config system interface

    edit <interface_name>

    set type redundant

    set intf {<port_name> ...}

    set mode {static | dhcp}

    set ip {interface_ipv4mask}

    set ip6-mode {static | dhcp}

    set ip6 {interface_ipv6mask}

    next

    end

    where:

    • <interface_name> is the name of the redundant interface configuration that you want to create
    • intf {<port_name> ...} is each port that you want to include in the configuration
    • mode {static | dhcp} specifies whether the interface obtains its IPv4 address and netmask using DHCP
    • ip {interface_ipv4mask} is the IPv4 address assigned to the network interface if you use a static IP
    • ip6-mode {static | dhcp} specifies whether the interface contains its IPv6 address using DHCP
    • ip6 {interface_ipv6mask} is the IPv6 address assigned to the network interface if you use a static IP

    Adding a gateway

    Static routes direct traffic exiting the FortiWeb appliance based upon the packet’s destination—you can specify through which network interface a packet leaves and the IP address of a next-hop router that is reachable from that network interface. Routers are aware of which IP addresses are reachable through various network pathways and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. Your FortiWeb itself does not need to know the full route, as long as the routers can pass along the packet.

    True transparent and Transparent Inspection operation modes require that you specify the gateway when configuring the operation mode. In that case, you have already configured a static route. You do not need to repeat this step.

    You must configure FortiWeb with at least one static route that points to a router, often a router that is the gateway to the Internet. You may need to configure multiple static routes if you have multiple gateway routers (e.g. each of which should receive packets destined for a different subset of IP addresses), redundant routers (e.g. redundant Internet/ISP links), or other special routing cases.

    However, often you will only need to configure one route: a default route.

    For example, if a web server is directly attached to one physical port on the FortiWeb, but all other destinations, such as connecting clients, are located on distant networks, such as the Internet, you might need to add only one route: a default route that indicates the gateway router through which FortiWeb sends traffic towards the Internet.

    If your management computer is not directly attached to one of the physical ports of the FortiWeb appliance, you may also require a static route so that your management computer is able to connect with the web UI and CLI.

    When you add a static route through the web UI, the FortiWeb appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiWeb appliance adds the static route, using the next unassigned route index number. The index number of the route in the list of static routes is not necessarily the same as its position in the routing table (diagnose network route list).

    You can also configure FortiWeb to route traffic to a specific network interface/gateway combination based on a packet’s source and destination IP address, instead of the static route configuration. For details, see Creating a policy route.

    To add a static route via the web UI
    1. Go to System > Network > Route and select the Static Route tab.
      To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Router Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Destination IP/Mask Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ).

      The value 0.0.0.0/0.0.0.0 or ::/0 results in a default route, which matches the DST field in the IP header of all packets.
      Gateway Type the IP address of the next-hop router where the FortiWeb forwards packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/Mask, or forward packets to another router with this information.

      For a direct Internet connection, this is the router that forwards traffic towards the Internet, and could belong to your ISP.

      Caution: The gateway IP address must be in the same subnet as the interface’s IP address. Failure to do so will cause FortiWeb to delete all static routes, including the default gateway.
      Interface Select the name of the network interface through which the packets subject to the static route will egress towards the next-hop router.
      Making a default route for your FortiWeb is a typical best practice: if there is no other, more specific static route defined for a packet’s destination IP address, a default route will match the packet, and pass it to a gateway router so that any packet can reach its destination.

      If you do not define a default route, and if there is a gap in your routes where no route matches a packet’s destination IP address, packets passing through the FortiWeb towards those IP addresses will, in effect, be null routed. While this can help to ensure that unintentional traffic cannot leave your FortiWeb and therefore can be a type of security measure, the result is that you must modify your routes every time that a new valid destination is added to your network. Otherwise, it will be unreachable. A default route ensures that this kind of locally-caused “destination unreachable” problem does not occur.
    5. Click OK.
    6. The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.

    7. To verify connectivity, from a host on the route’s destination network, attempt to connect to the FortiWeb appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy, and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)
    By default, in Reverse Proxy mode, FortiWeb’s virtual servers will not forward non-HTTP/HTTPS traffic to your protected web servers. (Only traffic picked up and allowed by the HTTP Reverse Proxy will be forwarded.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference.

    If the connectivity test fails, you can use the CLI commands:

    execute ping <destination_ip4>

    to determine if a complete route exists from the FortiWeb to the host, and

    execute traceroute <destination_ipv4>

    to determine the point of connectivity failure.

    Also enable PING on the FortiWeb’s network interface, or configure an IP address on the bridge, then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiWeb.

    • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiWeb.

      To display the routing table, enter the CLI command:

      diagnose network route list

      You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.
    • If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

      Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine routers and firewalls between the host and the FortiWeb appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

      diagnose system top 5 30

      to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not overburdened. For details, see the FortiWeb CLI Reference:

      http://docs.fortinet.com/fortiweb/reference
    To add a default route via the CLI
    1. Enter the following commands:
    2. config router static

      edit <route_index>

      set gateway <gateway_ipv4>

      set device <interface_name>

      end

      where:

    • <route_index> is the index number of the route in the list of static routes
    • <gateway_ipv4> is the IP address of the gateway router
    • <interface_name> is the name of the network interface through which packets will egress, such as port1

    The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.

  • To verify connectivity, from a host on the network applicable to the route, attempt to connect to the FortiWeb appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy, and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)
  • By default, in Reverse Proxy mode, FortiWeb’s virtual servers will not forward non-HTTP/HTTPS traffic to your protected web servers. (Only traffic picked up and allowed by the HTTP Reverse Proxy will be forwarded.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

    http://docs.fortinet.com/fortiweb/reference

    If the connectivity test fails, you can use the CLI commands:

    execute ping

    to determine if a complete route exists from the FortiWeb to the host, and

    execute traceroute

    to determine the point of connectivity failure. For details, see the FortiWeb CLI Reference (http://docs.fortinet.com/fortiweb/reference). Also enable ping on the FortiWeb (see To configure a network interface’s IPv4 address via the CLI), then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiWeb.

    • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiWeb.

      To display all routes with their priorities, enter the CLI command:

      diagnose network route list

      You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.
    • If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

      Verify that you have enabled http and/or http on the network interface (To configure a network interface’s IPv4 address via the CLI). Also examine routers and firewalls between the host and the FortiWeb appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

      diagnose system top 5 30

      to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not overburdened. For details, see the FortiWeb CLI Reference (http://docs.fortinet.com/fortiweb/reference).
    See also

    Creating a policy route

    In most cases, you use policy routes in Reverse Proxy mode. In this mode, requests are destined for a virtual server’s network interface and IP address on FortiWeb, not a web server directly. When FortiWeb sends response package to the client who initiated the request, the souce IP in the response package is the virtual server's IP address, not the web server's IP address. In the following paragraphs, we will introduce how to use policy route to direct the traffic to different next-hop gateways based on the souce IP in the response package.

    The difference between static route and policy route

    As introduced in the previous section, static route forwards the outgoing traffic based on the destination IP, and it is usually used when there is only one gateway connected with FortiWeb to forward FortiWeb's outgoing traffic to any destination. But, what if there are multiple gateways, and FortiWeb's outgoing traffic to any destionation should be forwarded to different gateways?

    The most common case is that multiple gateways are installed to forward clients' requests from networks operated by different ISPs, let's say ISP1 and ISP2. When FortiWeb sends back the response package, there must be a rule telling FortiWeb to send it to the right gateway so that the package destined to ISP1's network will not be sent to the gateway connecting with ISP2. For this case, using static route is not the right choice, because static route distinguishes the next-hop gateways based on the package's destination IP, but the destionation IP inside each ISP could be any.

    Policy route is perfectly suitable to solve this issue (usually called the Asymmetric Routing Issue). The best practice is to create two virtual servers on FortiWeb to receive and send packages, and then create policy routes to forward the response packages to the right next-hop router based on source IPs (the virtual servers' IP addresses).

    Using policy route to divert traffic based on source IPs

    We will use the following network topology as an example to illutrate how to use policy routes to divert traffic based on the source IP in the response package.

    To direct FortiWeb's outgoing traffic to the default gateway (1.1.1.254) and gateway2 (2.2.2.254):

    • Configure the following policy route so that the package with source IP 2.2.2.1/24 will exit FortiWeb through port2 to the next-hop gateway whose IP address is 2.2.2.254.
      Make sure not to select the incoming interface, because in Reverse Proxy mode FortiWeb does not carry the incoming interface information in the outgoing package.
    • Configure the following static route so that all the other traffic which doesn't match the conditions specified in the policy route will be forwarded to the default gateway whose IP address is 1.1.1.254.

    Policy route has higher priority than the static route. In this example, the package exiting FortiWeb with source IP 2.2.2.1 matches both the static route and policy route, but the system only applies policy route to the package because policy route has higher priority.

    tooltip icon In this case, the source IPs in the outgoing package are either 2.2.2.1 or 1.1.1.1, so, instead of configuring a static route, you can alternatively configure another policy route specifying the Source address as 1.1.1.1/24, the Outgoing Interface as port1, and Gateway Address as 1.1.1.254.

    Using policy route and the ip-forward command to configure FortiWeb as a router

    In Reverse Proxy mode, policy route can also be used together with the ip-forward command to configure FortiWeb as a router to forward the non-HTTP/HTTPS traffic to back-end servers. The non-HTTP/HTTPS traffic is handled in the following ways:

    • Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
    • For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a router and forwards it to its destination address. The incoming and outgoing interfaces configured in the policy routes are used to forward the non-HTTP/HTTPS traffic.

    For example, you can create a policy route with the following settings so that all the traffic from the incoming interface port4 will exit FortiWeb through the outgoing interface port1.

    Then, connect to FortiWeb's CLI and run the following command to enable ip-forward:

    config router setting

    set ip-forward enable

    set ip6-forward enable

    end

    To create a policy route
    1. Go to System > Network > Route and select Policy Route tab.
    2. Complete the following settings:
    3. If traffic matches:

      Incoming Interface Select the interface on which FortiWeb receives packets it applies this routing policy to.
      Source address/mask (IPv4/IPv6) Enter the source IP address and network mask to match.

      When a packet matches the specified address, FortiWeb routes it according to this policy.
      Destination address/mask (IPv4/IPv6) Enter the destination IP address and network mask to match.

      When a packet matches the specified address, FortiWeb routes it according to this policy.

      Fwmark

      Enter the Fwmark value specified in Firewall Fwmark Policy. If you don't need to match traffic against the Fwmark value, enter value 0.

      The valid range is 0-255.

      Force traffic to:

      Action

      Forward Traffic: FortiWeb filters traffic against the specified conditions and forwards the traffic to this policy route.

      Stop Policy Routing: FortiWeb filters traffic against the specified conditions and forwards the traffic according to the matched static route.

      Outgoing Interface Select the interface through which FortiWeb routes packets that match the specified IP address information.
      Gateway Address (IPv4/IPv6) Enter the IP address of the next-hop router where FortiWeb forwards packets that match the specified IP address information.

      Ensure this router knows how to route packets to the destination IP address or forwards packets to another router with this information.

      A gateway address is not required for the particular routing policies used as static routes in an one-arm topology. Please leave this blank for one-arm topology.
      Priority Enter a value between 1 and 200 that specifies the priority of the route. When packets match more than one policy route, FortiWeb directs traffic to the route with the lowest value.
    4. Click OK.

    Notice for using policy route in an one-arm topology

    Since FortiWeb's policy route has higher priority than static route (any packet will be evaluated against policy routes first, then static routes), when a FortiWeb is deployed in a one-arm topology (see Planning the network topology) and any policy route is configured for the FortiWeb to access to other networks, you are strongly recommended to add particular policy routes with higher priority for the static routing within the connected network subnets.

    A policy route might be set for updating the signature and virus databases through the Internet. In this example, packets that FortiWeb forwards for Reverse Proxy mode within subnet 192.0.2.0/24 might match the policy route first rather than the static route, and so that the packets might be directed to incorrect path (which result in a failed Reverse Proxy). Therefore, no matter what the configurations you have for the policy routes, we strongly suggest an extra policy route being set (for this example) like

    Destination address/mask = 192.0.2.0/24

    Outgoing Interface = port3

    Priority = 10

    Configuration of the particular policy route is a static route for choosing port 3 as the path to forward packets destined to subnet 192.0.2.0/24. To make sure all the packets are evaluated against the particular policy routes before other normal policy routes, those particular policy routes must be assigned a higher (or the highest) priority than other policy routes'. This particular policy route, with a higher (or the highest) priority and no gateway being specified, essentially reverses the fact that policy routes have higher priority than static routes.

    See also

    Configuring the network settings

    Configuring the network settings

    When shipped, each of the FortiWeb appliance’s physical network adapter ports (or, for FortiWeb-VM, vNICs) has a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them.

    Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask
    port1 192.168.1.99/24 ::/0
    port2 0.0.0.0/0 ::/0
    port3 0.0.0.0/0 ::/0
    port4 0.0.0.0/0 ::/0
    * The number of network interfaces varies by model.

    You also must configure FortiWeb with the IP address of your DNS servers and gateway router.

    You can use either the web UI or the CLI to configure these basic network settings.

    If you are installing a FortiWeb-VM virtual appliance, and you followed the instructions in the FortiWeb-VM Install Guide (http://docs.fortinet.com/fortiweb/hardware), you have already configured some of the settings for port1. To fully configure all of the network interfaces, you must complete this chapter.

    To configure a network interface or bridge

    To connect to the CLI and web UI, you must assign at least one FortiWeb network interface (usually port1) with an IP address and netmask so that it can receive your connections. Depending on your network, you usually must configure others so that FortiWeb can connect to the Internet and to the web servers it protects.

    How should you configure the other network interfaces? Should you add more? Should each have an IP address? That varies. In some cases, you may not want to assign IP addresses to the other network interfaces.

    Initially, each physical network port (or, on FortiWeb-VM, a vNIC) has only one network interface that directly corresponds to it — that is, a “physical network interface.” Multiple network interfaces (“subinterfaces” or “virtual interfaces”) can be associated with a single physical port, and vice versa (“redundant interfaces”/”NIC teaming”/”NIC bonding” or “aggregated links”). These can provide features such as link failure resilience or multi-network links.

    FortiWeb does not currently support IPSec VPN, so the virtual interfaces for IPSec VPN are not supported. If you require these features, implement them separately on your FortiGate, VPN appliance, or firewall.

    Usually, each network interface has at least one IP address and netmask. However, this is not true for bridges.

    Bridges (V-zones) allow packets to travel between the FortiWeb appliance’s physical network ports over a physical layer link, without an IP layer connection with those ports.

    Use bridges when:

    • The FortiWeb appliance operates in True Transparent Proxy or Transparent Inspection mode, and
    • You want to deploy FortiWeb between incoming connections and the web server it is protecting, without changing your IP address scheme or performing routing or network address translation (NAT)

    For bridges, do not assign IP addresses to the ports that you will connect to either the web server or to the overall network. Instead, group the two physical network ports by adding their associated network interfaces to a bridge.

    Configure each network interface that will connect to your network or computer (see Configuring the network interfaces or Configuring a bridge (V-zone)). If you want multiple networks to use the same wire while minimizing the scope of broadcasts, configure VLANs (see Adding VLAN subinterfaces).

    See also

    Configuring the network interfaces

    You can configure network interfaces either via the web UI or the CLI. If your network uses VLANs, you can also configure VLAN subinterfaces. For details, see Adding VLAN subinterfaces.

    If the FortiWeb appliance is operating in True Transparent Proxy or Transparent Inspection mode and you will configure a V-zone (bridge), do not configure any physical network interfaces other than port1. Configured NICs cannot be added to a bridge. For details, see Configuring a bridge (V-zone).

    If this FortiWeb will belong to a FortiWeb HA cluster, do not configure any network interface that will be used as an HA heartbeat and synchronization link. If you are re-cabling your network and must configure it, connect and switch to the new HA link first. Failure to do so could cause unintentional downtime, failover, and ignored IP address configuration. To switch the HA link, see FortiWeb high availability (HA) .

    To customize the network interface information that FortiWeb displays when you go to System > Network > Interface, right-click the heading row. Select and clear the columns you want to display or hide, and then click Apply.

    To configure a network interface’s IP address via the web UI
    1. Go to System > Network > Interface.

    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

      If the network interface’s Status column is Bring Up, its administrative status is currently “down” and it will not receive or emit packets, even if you otherwise configure it. To bring up the network interface, click the Bring Up link.

      This Status column is not the detected physical link status; it is the administrative status that indicates whether you permit network interface to receive and/or transmit packets.

      For example, if the cable is physically unplugged, diagnose hardware nic list port1 or Operation widget may indicate that the link is down, even though you have administratively enabled it by clicking Bring Up.

      By definition, HA heartbeat and synchronization links should always be “up.” Therefore, if you have configured FortiWeb to use a network interface for HA, its Status column will always display HA Member.

    3. Double-click the row of the network interface that you want to modify.
    4. The Edit Interface dialog appears. Name displays the name and media access control (MAC) address of this network interface. The network interface is directly associated with one physical link as indicated by its name, such as port2.

      In HA, it may use a virtual MAC instead. For details, see HA heartbeat and FortiWeb high availability (HA) .

    5. Configure these settings:
    6. Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this network interface manually or using DHCP.
      IP/Netmask

      Type the IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24 for an IPv4 address or 2001:0db8:85a3:::8a2e:0370:7334/64 for an IPv6 address.

      The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

      In Active-Passive and Standard Active-Active HA modes, the IPv6 DAD feature is by default disabled, which means FortiWeb won't know whether the IPv6 address of its network interface is conflicted with other devices connected with it. You can run the following command on the master node to enable this feature:

      config system global

      set ipv6-dad-ha enable

      end

      The IP address conflict detection is a one-time action executed only when you configure the IPv6 address of the network interface. It will not be performed again upon reboot or failover even if there are conflicted IP addresses.

      Administrative Access Enable the types of administrative access that you want to permit to this interface.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
      HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING Enable to allow:
      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      For the management port, when PING is enabled, to allow execute ping for the management port, you need to configure the Firewall rule.
      HTTP Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

      The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.
      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.

      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
      WCCP Protocol Select if the interface is used to communicate with a FortiGate unit configured as a WCCP server.

      Available only when the operation mode is WCCP.

      For details, see Setting the operation mode and Configuring FortiWeb to receive traffic via WCCP.
      Description Type a comment. The maximum length is 63 characters.

      Optional.
    7. Click OK.
    8. If you were connected to the web UI through this network interface, you are now disconnected from it.

    9. To access the web UI again, in your web browser, modify the URL t to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to: https://10.10.10.5

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

    To configure a network interface’s IPv4 address via the CLI

    Enter the following commands:

    config system interface

    edit <interface_name>

    set mode {manual|dhcp}

    set ip <address_ipv4mask> <netmask_ipv4mask>

    set allowaccess {http https ping snmp ssh telnet}

    end

    where:

    • <interface_name> is the name of a network interface
    • {manual|dhcp} specifies how the network interface is addressed.
    • <address_ipv4> is the IP address assigned to the network interface
    • <netmask_ipv4mask> is its netmask in dotted decimal format
    • {http https ping snmp ssh telnet} is a space-delimited list of zero or more administrative protocols that you want to allow to access the FortiWeb appliance through the network interface
    HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiWeb appliance.

    If you were connected to the CLI through this network interface, you are now disconnected from it.

    To access the CLI again, in your terminal client, modify the address to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would connect to that IP address.

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the FortiWeb appliance’s new IP address.

    Adding VLAN subinterfaces

    You can add a virtual local area network (VLAN) subinterface to a network interface or bridge on the FortiWeb appliance, up to a maximum of 512 VLAN in total.

    Similar to a local area network (LAN), use a IEEE 802.1q (http://www.ieee802.org/1/pages/802.1Q.html) VLAN to reduce the size of a broadcast domain and thereby reduce the amount of broadcast traffic received by network hosts, improving network performance.

    In True Transparent Proxy mode, to expand the VLAN space, Q-in-Q is introduced for FortiWeb to stack 802.1Q and 802.1ad (http://www.ieee802.org/1/pages/802.1Q.html) headers in the Ethernet frame, so that multiple VLANs are reused in a core VLAN. The 802.1Q VLAN (Ethernet Type = 0x8100) can be packed into the 802.1ad VLAN (Ethernet Type = 0x88A8). If you create a 802.1ad VLAN per a physical interface, then you can create a 802.1Q VLAN per 802.1ad VLAN. Packets will be tagged by two VLANs.

    VLANs are not designed to be a security measure, and should not be used where untrusted devices and/or individuals outside of your organization have access to the equipment. VLAN tags are not authenticated, and can be ignored or modified by attackers. VLAN tags rely on the voluntary compliance of the receiving host or switch.

    Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches, such as FortiWeb appliances, restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.

    The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically by FortiWeb appliances, and does not require that you adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network.

    Cisco Discovery Protocol (CDP) is supported for VLANs, including when FortiWeb is operating in either of the transparent modes.

    If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E), you cannot use VLAN subinterfaces as a data capture port for Offline Protection mode. For these models, remove any VLAN configuration on an interface before you use it for data capture. These models fully support the capture and transmission of VLAN traffic.

    To configure a VLAN subinterface
    1. Go to System > Network > Interface.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Name Type the name (for example, vlan100) of this VLAN subinterface that can be referenced by other parts of the configuration. The maximum length is 15 characters.

      Tip: The name cannot be changed once you save the entry. For a workaround, see Renaming entries.
      Type Select VLAN.
      Interface Select the name of the physical network port with which the VLAN subinterface will be associated.
      VLAN ID

      Type the VLAN ID , such as 100, of packets that belong to this VLAN subinterface.

      • If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
      • If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

      The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

      For the maximum number of interfaces for your FortiWeb model, including VLAN subinterfaces, see Appendix B: Maximum configuration values.

      VLAN Protocol Select a VLAN type 802.1Q or 802.1ad.
      Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this VLAN using DHCP.
      IP/Netmask Type the IP address/subnet mask associated with the VLAN, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.
      Administrative Access Enable the types of administrative access that you want to permit to this interface.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
      HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING Enable to allow:
      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      HTTP

      Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

      The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
      WCCP Protocol Select if the interface is used to communicate with a FortiGate unit configured as a WCCP server.

      Available only when the operation mode is WCCP.

      For details, see Setting the operation mode and Configuring FortiWeb to receive traffic via WCCP.
    5. Click OK.
    6. Your new VLAN is initially hidden in the list of network interfaces.

      To expand the network interface listing in order to view all of a port’s associated VLANs, click the + (plus sign) beside the name of the port.

      See also

    Configuring a bridge (V-zone)

    You can configure a bridge either via the web UI or the CLI.

    Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly connecting to one of its IP addresses. Due to this nature, bridges are configured only when FortiWeb is operating in either True Transparent Proxy or Transparent Inspection mode.

    Bridges on the FortiWeb appliance support IEEE 802.1d (https://1.ieee802.org) spanning tree protocol (STP) by forwarding bridge protocol data unit (BPDU) packets, but do not generate BPDU packets of their own. Therefore, in some cases, you might need to manually test the bridged network for Layer 2 loops. Also, you may prefer to manually design a tree that uses the minimum cost path to the root switch for design and performance reasons.

    True bridges typically have no IP address of their own. They use only media access control (MAC) addresses to describe the location of physical ports within the scope of their network and do network switching at Layer 2 of the OSI model.

    You can configure FortiWeb to monitor the members of bridge. When monitoring is enabled, if a network interface that belongs to the bridge goes down, FortiWeb automatically brings down the other members.

    Using network interface MAC addresses in True Transparent Proxy mode

    When the operation mode is True Transparent Proxy, by default, traffic that travels through a bridge to the back-end servers preserves the MAC address of the source.

    If you are using FortiWeb with front-end load balancers that are in a high availability cluster that connects via multiple bridges, this mechanism can cause switching problems on failover.

    To avoid this problem, the config system v-zone command allows you to configure FortiWeb to use the MAC address of the FortiWeb network interface instead. The option is not available in the web UI. For details, see the FortiWeb CLI Reference:

    http://docs.fortinet.com/fortiweb/reference

    To configure a bridge via the web UI
    1. If you have installed a physical FortiWeb appliance, plug in network cables to connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
    2. Because port1 is reserved for connections with your management computer, for physical appliances, this means that you must plug cables into at least 3 physical ports:

    • port1 to your management computer
    • one port to your web servers
    • one port to the Internet or your internal network
  • If you have installed a virtual FortiWeb appliance (FortiWeb-VM), the number and topology of connections of your physical ports depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
  • http://docs.fortinet.com/fortiweb/hardware

    To use fail-to-wire, the bridge must be comprised of the ports that have hardware support for fail-to-wire. For example, on FortiWeb 1000C, this is port3 and port4. See Fail-to-wire for power loss/reboots and the QuickStart Guide for your model.

    If you have installed FortiWeb-VM, configure the virtual switch (vSwitch). For details, see the FortiWeb-VM Install Guide:

    http://docs.fortinet.com/fortiweb/hardware

  • Go to System > Network > V-zone.
  • This option is not displayed if the current operating mode does not support bridges.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

  • Click Create New.
  • Configure these settings:

  • Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 15 characters. The name cannot be changed once you save the entry. For details, see Renaming entries.
    Interface name

    Display a list of network interfaces that you can add to a bridge.

    Only interfaces that currently have no IP address and are not members of another bridge are displayed.

    To add one or more network interfaces to the bridge, select their names, then click the right arrow.

    Since FortiWeb 6.1 release, vlan subinterfaces including 802.1Q, 802.1ad and physical interfaces can be configured in one V-zone.

    Note: Only network interfaces with no IP address can belong to a bridge. port1 is reserved for your management computer, and cannot be bridged. To remove any other network interface’s IP address so that it can be included in the bridge, set its IP/Netmask to 0.0.0.0/0.0.0.0.

    Member Displays a list of network interfaces that belong to this bridge.

    To remove a network interface from the bridge, select its name, then click the left arrow.

    Tip: If you will be configuring bypass/fail-to-wire, the pair of bridge ports that you select should be ones that are wired together to support it. For details, see Fail-to-wire for power loss/reboots.
  • Click OK.
  • The bridge appears in System > Network > V-zone.

  • To configure FortiWeb to automatically bring down all members of this v-zone when one member goes down, select Member Monitor.
  • To use the bridge, select it in a policy (see Configuring an HTTP server policy).
  • To configure a bridge in the CLI
    1. If you have installed a physical FortiWeb appliance, connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
    2. Because port1 is reserved for connections with your management computer, for physical appliances, this means that you must connect at least 3 ports:

    • port1 to your management computer
    • one port to your web servers
    • one port to the Internet or your internal network
  • If you have installed a virtual FortiWeb appliance, the number and topology of connections of your physical ports depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
  • http://docs.fortinet.com/fortiweb/hardware

    If you have installed FortiWeb as a virtual appliance (FortiWeb-VM), configure the virtual switch. For details, see the FortiWeb-VM Install Guide:

    http://docs.fortinet.com/fortiweb/hardware

  • Enter the following commands:
  • config system v-zone

    edit <v-zone_name>

    set interfaces {<port_name> ...}

    set monitor {enable | disable}

    end

    where:

    • <v-zone_name> is the name of the bridge
    • {<port_name> ...} is a space-delimited list of one or more network ports that will be members of this bridge. Eligible network ports must not yet belong to a bridge, and have no assigned IP address. For a list of eligible ports, enter:

      set interfaces ?

    • set monitor {enable | disable} is an optional setting that specifies whether FortiWeb automatically brings down all members of this v-zone when one member goes down.
  • To use the bridge, select it in a policy. For details, see Configuring an HTTP server policy.
  • See also

    Configuring virtual IP

    The virtual IP addresses are the IP addresses that paired with the domain name of your application. When users visit your application, the destination of their requests are these IP addresses.

    You can later attach one or more virtual IP addresses to a virtual server, and then reference the virtual server in a server policy. The web protection profile in the server policy will be applied to all the virtual IPs attached to this virtual server.

    To configure a virtual IP
    1. Go to System > Network > Virtual IP.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.

      IPv4 Address

      IPv6 Address

      Enter the IP address and subnet of the virtual IP.

      If the FortiWeb appliance is operating in Offline Protection mode or either of the transparent modes, because FortiWeb ignores this IP address when it determines whether or not to apply a server policy to the connection, you can specify any IP address except the address of the web server.

      The virtual IP address cannot be the same with the IP address of any one of the interfaces.

      Interface

      Select the network interface or bridge the virtual IP is bound to and where traffic destined for the virtual IP arrives.

      To configure an interface or bridge, see To configure a network interface or bridge.

    Link aggregation

    You can configure a network interface that is the bundle of several physical links via either the web UI or the CLI.

    The Link Aggregation Control Protocol (LACP) is currently supported only when FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported in FortiWeb-VM.

    Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiWeb would normally do with a single network interface for each physical port). This multiplies the bandwidth that is available to the network interface, and therefore is useful if FortiWeb will be inline with your network backbone.

    Link aggregation on FortiWeb complies with IEEE 802.3ad (http://grouper.ieee.org/groups/802/3/ad/index.html) and distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregate fails, traffic is redistributed automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or multicast traffic is received on a port in the aggregate interface, reverse traffic will return on the same port.

    When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that comprise an HTTP request can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this (especially TCP, which may decrease network performance by requesting retransmission when the expected segment does not arrive), FortiWeb’s frame distribution algorithm is configurable.

    For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring FortiWeb to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP connection (Layer 4), not simply the MAC address (Layer 2).

    You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device at the other end of FortiWeb’s network cables to match, with identical:

    • Link speed
    • duplex/simplex setting
    • ports that can be aggregated

    This will allow the two devices to use the cables between those ports to form a trunk, not an accidental Layer 2 (link) network loop. FortiWeb will use LACP to:

    • detect suitable links between itself and the other device, and form a single logical link
    • detect individual port failure so that the aggregate can redistribute queuing to avoid a failed port
    To configure a link aggregate interface
    1. Go to System > Network > Interface.
    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:
    5. Name Type the name (such as agg) of this logical interface that can be referenced by other parts of the configuration. The maximum length is 15 characters.

      Tip: The name cannot be changed once you save the entry. For a workaround, see Renaming entries.
      Type Select 802.3ad Aggregate.
      Lacp-rate Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:

      • SLOW—Every 30 seconds.
      • FAST—Every 1 second.

      Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk.
      Algorithm Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.

      • layer2—Consider only the MAC address. This results in the most even distribution of frames, but may be disruptive to TCP if packets frequently arrive out of order.
      • layer2_3—Consider both the MAC address and IP session. Queue frames involving the same session to the same port. This results in slightly less even distribution, and still does not guarantee perfectly ordered TCP sessions, but does result in less jitter within the session.
      • layer3_4—Consider both the IP session and TCP connection. Queue frames involving the same session and connection to the same port. Distribution is not even, but this does prevent TCP retransmissions associated with link aggregation.
      Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this aggregate using DHCP.
      IP/Netmask

      Type the IP address/subnet mask associated with the aggregate. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

      Administrative Access Enable the types of administrative access that you want to permit to the selected interfaces.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
      HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING

      Enable to allow:

      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      HTTP

      Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.

      The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    6. Click OK.

    Your new aggregate appears in the list of network interfaces.

    To configure an IPv4link aggregate via the CLI

    Enter the following commands:

    config system interface

    edit "aggregate"

    set type agg

    set status up

    set intf <port_name> <port_name>

    set algorithm {layer2 | layer2_3 | layer3_4}

    set lacp-speed {fast | slow}

    set mode {manual | dhcp}

    set ip <address_ipv4> <netmask_ipv4mask>

    next

    end

    where:

    • <port_name> is the name of a physical network interface, such as port3
    • <address_ipv4> is the IP address assigned to the network interface
    • <netmask_ipv4mask> is its netmask in dotted decimal format
    • {manual | dhcp} specifies how the network interface is addressed.
    • {layer2 | layer2_3 | layer3_4} is a choice between the connectivity layers that will be considered when distributing frames among the aggregated physical ports.
    • {fast | slow} is a choice of the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables; this must match the LACP peer
    See also

    Configuring redundant interfaces

    You can combine two or more interfaces in a redundant configuration to ensure connectivity in the event that one physical interface or the equipment connected to that interface fails. Network traffic goes through only one interface at any time, and the other interfaces act as backups in the event an interface fails. Redundant interfaces create redundant connections between a FortiWeb configuration and the network, removing a potential single point of failure and further increasing network reliability and connectivity.

    When used in certain network configurations, such as a High Availability (HA) Active-Passive (AP) configuration, you can create a fully meshed HA configuration that eliminates potential single points of failure. By default, HA configurations connect to the network using a single switch, and this single piece of equipment remains a potential single point of failure. When you configure redundant interfaces in an HA configuration, you eliminate the remaining potential single point of failure between your FortiWeb configuration and the network.

    An interface can be used in a redundant interface configuration if it:

    • Is a physical interface and not a VLAN interface
    • Does not have any VLAN subinterfaces
    • Is not referenced in any V-zone interfaces
    • Is not already part of an aggregated or redundant interface configuration
    • Has no defined IP address (Manual or DHCP)
    • Is not used in a server policy or virtual server configuration
    • Is not used by a static route or policy route
    • Is not monitored by an HA configuration
    • Is not referenced in an HA Reserved Management Interface
    • Is not referenced in an HA Heartbeat Interface

    Interfaces in a redundant interface configuration are not listed in System > Network > Interface. You cannot further configure or select redundant interfaces in other parts of the configuration.

    To configure redundant interfaces via the web UI
    1. Go to System > Network > Interface.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Enter a Name for the interface.
    4. For Type, select Redundant Interface.
    5. Select ports that you want to use in the configuration from the list of Available Interfaces and use the (arrow) icon to move them to the Selected Interfaces list.
    6. For Addressing mode:
    7. Select Manual to enter an IPv4 address. If you select Manual, also configure the IPv4/Netmask option. Type the IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24.

      Select DHCP so that FortiWeb will acquire an IPv4 address using DHCP.

    8. Optionally, for IPv6 Addressing mode:
    9. Select Manual to enter an IPv6 address. If you select Manual, also configure the IPv6/Netmask option.

      Select DHCP so that FortiWeb will acquire an IPv6 address using DHCP.

    10. For Administrative Access, select the types of administrative access that you want to permit to the selected interfaces.

      These options do not disable outgoing administrative connections, such as update polling connections to the FDN or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined for a web server or virtual server, which are governed by policies. These options only govern incoming connections destined for the appliance itself.

      Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1, Trusted Host #2, Trusted Host #3) or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance.
    11. HTTPS Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings.
      PING

      Enable to allow:

      • ICMP type 8 (ECHO_REQUEST)
      • UDP ports 33434 to 33534

      for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).

      Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.

      It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.

      HTTP

      Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see Global web UI & CLI settings. The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

      SSH Enable to allow SSH connections to the CLI through this network interface.
      SNMP Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see SNMP traps & queries.
      FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network interface.
    12. Click OK.
    To configure redundant interfaces via the CLI

    Enter the following commands:

    config system interface

    edit <interface_name>

    set type redundant

    set intf {<port_name> ...}

    set mode {static | dhcp}

    set ip {interface_ipv4mask}

    set ip6-mode {static | dhcp}

    set ip6 {interface_ipv6mask}

    next

    end

    where:

    • <interface_name> is the name of the redundant interface configuration that you want to create
    • intf {<port_name> ...} is each port that you want to include in the configuration
    • mode {static | dhcp} specifies whether the interface obtains its IPv4 address and netmask using DHCP
    • ip {interface_ipv4mask} is the IPv4 address assigned to the network interface if you use a static IP
    • ip6-mode {static | dhcp} specifies whether the interface contains its IPv6 address using DHCP
    • ip6 {interface_ipv6mask} is the IPv6 address assigned to the network interface if you use a static IP

    Adding a gateway

    Static routes direct traffic exiting the FortiWeb appliance based upon the packet’s destination—you can specify through which network interface a packet leaves and the IP address of a next-hop router that is reachable from that network interface. Routers are aware of which IP addresses are reachable through various network pathways and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. Your FortiWeb itself does not need to know the full route, as long as the routers can pass along the packet.

    True transparent and Transparent Inspection operation modes require that you specify the gateway when configuring the operation mode. In that case, you have already configured a static route. You do not need to repeat this step.

    You must configure FortiWeb with at least one static route that points to a router, often a router that is the gateway to the Internet. You may need to configure multiple static routes if you have multiple gateway routers (e.g. each of which should receive packets destined for a different subset of IP addresses), redundant routers (e.g. redundant Internet/ISP links), or other special routing cases.

    However, often you will only need to configure one route: a default route.

    For example, if a web server is directly attached to one physical port on the FortiWeb, but all other destinations, such as connecting clients, are located on distant networks, such as the Internet, you might need to add only one route: a default route that indicates the gateway router through which FortiWeb sends traffic towards the Internet.

    If your management computer is not directly attached to one of the physical ports of the FortiWeb appliance, you may also require a static route so that your management computer is able to connect with the web UI and CLI.

    When you add a static route through the web UI, the FortiWeb appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiWeb appliance adds the static route, using the next unassigned route index number. The index number of the route in the list of static routes is not necessarily the same as its position in the routing table (diagnose network route list).

    You can also configure FortiWeb to route traffic to a specific network interface/gateway combination based on a packet’s source and destination IP address, instead of the static route configuration. For details, see Creating a policy route.

    To add a static route via the web UI
    1. Go to System > Network > Route and select the Static Route tab.
      To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Router Configuration category. For details, see Permissions.
    2. Click Create New.
    3. Configure these settings:
    4. Destination IP/Mask Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ).

      The value 0.0.0.0/0.0.0.0 or ::/0 results in a default route, which matches the DST field in the IP header of all packets.
      Gateway Type the IP address of the next-hop router where the FortiWeb forwards packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/Mask, or forward packets to another router with this information.

      For a direct Internet connection, this is the router that forwards traffic towards the Internet, and could belong to your ISP.

      Caution: The gateway IP address must be in the same subnet as the interface’s IP address. Failure to do so will cause FortiWeb to delete all static routes, including the default gateway.
      Interface Select the name of the network interface through which the packets subject to the static route will egress towards the next-hop router.
      Making a default route for your FortiWeb is a typical best practice: if there is no other, more specific static route defined for a packet’s destination IP address, a default route will match the packet, and pass it to a gateway router so that any packet can reach its destination.

      If you do not define a default route, and if there is a gap in your routes where no route matches a packet’s destination IP address, packets passing through the FortiWeb towards those IP addresses will, in effect, be null routed. While this can help to ensure that unintentional traffic cannot leave your FortiWeb and therefore can be a type of security measure, the result is that you must modify your routes every time that a new valid destination is added to your network. Otherwise, it will be unreachable. A default route ensures that this kind of locally-caused “destination unreachable” problem does not occur.
    5. Click OK.
    6. The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.

    7. To verify connectivity, from a host on the route’s destination network, attempt to connect to the FortiWeb appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy, and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)
    By default, in Reverse Proxy mode, FortiWeb’s virtual servers will not forward non-HTTP/HTTPS traffic to your protected web servers. (Only traffic picked up and allowed by the HTTP Reverse Proxy will be forwarded.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference.

    If the connectivity test fails, you can use the CLI commands:

    execute ping <destination_ip4>

    to determine if a complete route exists from the FortiWeb to the host, and

    execute traceroute <destination_ipv4>

    to determine the point of connectivity failure.

    Also enable PING on the FortiWeb’s network interface, or configure an IP address on the bridge, then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiWeb.

    • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiWeb.

      To display the routing table, enter the CLI command:

      diagnose network route list

      You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.
    • If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

      Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine routers and firewalls between the host and the FortiWeb appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

      diagnose system top 5 30

      to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not overburdened. For details, see the FortiWeb CLI Reference:

      http://docs.fortinet.com/fortiweb/reference
    To add a default route via the CLI
    1. Enter the following commands:
    2. config router static

      edit <route_index>

      set gateway <gateway_ipv4>

      set device <interface_name>

      end

      where:

    • <route_index> is the index number of the route in the list of static routes
    • <gateway_ipv4> is the IP address of the gateway router
    • <interface_name> is the name of the network interface through which packets will egress, such as port1

    The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.

  • To verify connectivity, from a host on the network applicable to the route, attempt to connect to the FortiWeb appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy, and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)
  • By default, in Reverse Proxy mode, FortiWeb’s virtual servers will not forward non-HTTP/HTTPS traffic to your protected web servers. (Only traffic picked up and allowed by the HTTP Reverse Proxy will be forwarded.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

    http://docs.fortinet.com/fortiweb/reference

    If the connectivity test fails, you can use the CLI commands:

    execute ping

    to determine if a complete route exists from the FortiWeb to the host, and

    execute traceroute

    to determine the point of connectivity failure. For details, see the FortiWeb CLI Reference (http://docs.fortinet.com/fortiweb/reference). Also enable ping on the FortiWeb (see To configure a network interface’s IPv4 address via the CLI), then use the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiWeb.

    • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiWeb.

      To display all routes with their priorities, enter the CLI command:

      diagnose network route list

      You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.
    • If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

      Verify that you have enabled http and/or http on the network interface (To configure a network interface’s IPv4 address via the CLI). Also examine routers and firewalls between the host and the FortiWeb appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

      diagnose system top 5 30

      to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not overburdened. For details, see the FortiWeb CLI Reference (http://docs.fortinet.com/fortiweb/reference).
    See also

    Creating a policy route

    In most cases, you use policy routes in Reverse Proxy mode. In this mode, requests are destined for a virtual server’s network interface and IP address on FortiWeb, not a web server directly. When FortiWeb sends response package to the client who initiated the request, the souce IP in the response package is the virtual server's IP address, not the web server's IP address. In the following paragraphs, we will introduce how to use policy route to direct the traffic to different next-hop gateways based on the souce IP in the response package.

    The difference between static route and policy route

    As introduced in the previous section, static route forwards the outgoing traffic based on the destination IP, and it is usually used when there is only one gateway connected with FortiWeb to forward FortiWeb's outgoing traffic to any destination. But, what if there are multiple gateways, and FortiWeb's outgoing traffic to any destionation should be forwarded to different gateways?

    The most common case is that multiple gateways are installed to forward clients' requests from networks operated by different ISPs, let's say ISP1 and ISP2. When FortiWeb sends back the response package, there must be a rule telling FortiWeb to send it to the right gateway so that the package destined to ISP1's network will not be sent to the gateway connecting with ISP2. For this case, using static route is not the right choice, because static route distinguishes the next-hop gateways based on the package's destination IP, but the destionation IP inside each ISP could be any.

    Policy route is perfectly suitable to solve this issue (usually called the Asymmetric Routing Issue). The best practice is to create two virtual servers on FortiWeb to receive and send packages, and then create policy routes to forward the response packages to the right next-hop router based on source IPs (the virtual servers' IP addresses).

    Using policy route to divert traffic based on source IPs

    We will use the following network topology as an example to illutrate how to use policy routes to divert traffic based on the source IP in the response package.

    To direct FortiWeb's outgoing traffic to the default gateway (1.1.1.254) and gateway2 (2.2.2.254):

    • Configure the following policy route so that the package with source IP 2.2.2.1/24 will exit FortiWeb through port2 to the next-hop gateway whose IP address is 2.2.2.254.
      Make sure not to select the incoming interface, because in Reverse Proxy mode FortiWeb does not carry the incoming interface information in the outgoing package.
    • Configure the following static route so that all the other traffic which doesn't match the conditions specified in the policy route will be forwarded to the default gateway whose IP address is 1.1.1.254.

    Policy route has higher priority than the static route. In this example, the package exiting FortiWeb with source IP 2.2.2.1 matches both the static route and policy route, but the system only applies policy route to the package because policy route has higher priority.

    tooltip icon In this case, the source IPs in the outgoing package are either 2.2.2.1 or 1.1.1.1, so, instead of configuring a static route, you can alternatively configure another policy route specifying the Source address as 1.1.1.1/24, the Outgoing Interface as port1, and Gateway Address as 1.1.1.254.

    Using policy route and the ip-forward command to configure FortiWeb as a router

    In Reverse Proxy mode, policy route can also be used together with the ip-forward command to configure FortiWeb as a router to forward the non-HTTP/HTTPS traffic to back-end servers. The non-HTTP/HTTPS traffic is handled in the following ways:

    • Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
    • For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a router and forwards it to its destination address. The incoming and outgoing interfaces configured in the policy routes are used to forward the non-HTTP/HTTPS traffic.

    For example, you can create a policy route with the following settings so that all the traffic from the incoming interface port4 will exit FortiWeb through the outgoing interface port1.

    Then, connect to FortiWeb's CLI and run the following command to enable ip-forward:

    config router setting

    set ip-forward enable

    set ip6-forward enable

    end

    To create a policy route
    1. Go to System > Network > Route and select Policy Route tab.
    2. Complete the following settings:
    3. If traffic matches:

      Incoming Interface Select the interface on which FortiWeb receives packets it applies this routing policy to.
      Source address/mask (IPv4/IPv6) Enter the source IP address and network mask to match.

      When a packet matches the specified address, FortiWeb routes it according to this policy.
      Destination address/mask (IPv4/IPv6) Enter the destination IP address and network mask to match.

      When a packet matches the specified address, FortiWeb routes it according to this policy.

      Fwmark

      Enter the Fwmark value specified in Firewall Fwmark Policy. If you don't need to match traffic against the Fwmark value, enter value 0.

      The valid range is 0-255.

      Force traffic to:

      Action

      Forward Traffic: FortiWeb filters traffic against the specified conditions and forwards the traffic to this policy route.

      Stop Policy Routing: FortiWeb filters traffic against the specified conditions and forwards the traffic according to the matched static route.

      Outgoing Interface Select the interface through which FortiWeb routes packets that match the specified IP address information.
      Gateway Address (IPv4/IPv6) Enter the IP address of the next-hop router where FortiWeb forwards packets that match the specified IP address information.

      Ensure this router knows how to route packets to the destination IP address or forwards packets to another router with this information.

      A gateway address is not required for the particular routing policies used as static routes in an one-arm topology. Please leave this blank for one-arm topology.
      Priority Enter a value between 1 and 200 that specifies the priority of the route. When packets match more than one policy route, FortiWeb directs traffic to the route with the lowest value.
    4. Click OK.

    Notice for using policy route in an one-arm topology

    Since FortiWeb's policy route has higher priority than static route (any packet will be evaluated against policy routes first, then static routes), when a FortiWeb is deployed in a one-arm topology (see Planning the network topology) and any policy route is configured for the FortiWeb to access to other networks, you are strongly recommended to add particular policy routes with higher priority for the static routing within the connected network subnets.

    A policy route might be set for updating the signature and virus databases through the Internet. In this example, packets that FortiWeb forwards for Reverse Proxy mode within subnet 192.0.2.0/24 might match the policy route first rather than the static route, and so that the packets might be directed to incorrect path (which result in a failed Reverse Proxy). Therefore, no matter what the configurations you have for the policy routes, we strongly suggest an extra policy route being set (for this example) like

    Destination address/mask = 192.0.2.0/24

    Outgoing Interface = port3

    Priority = 10

    Configuration of the particular policy route is a static route for choosing port 3 as the path to forward packets destined to subnet 192.0.2.0/24. To make sure all the packets are evaluated against the particular policy routes before other normal policy routes, those particular policy routes must be assigned a higher (or the highest) priority than other policy routes'. This particular policy route, with a higher (or the highest) priority and no gateway being specified, essentially reverses the fact that policy routes have higher priority than static routes.

    See also